.svg)
- Leadership changes put brakes on open finance work, complaint argues
- Banks raise concerns about lack of cybersecurity legislation
- Legal challenge can be "very effective in making change", expert says
A Mexican citizen has filed a challenge against the country’s central bank and financial system regulator for their failure to issue secondary regulations underpinning open finance in Mexico.
Juan Pablo Ybarra Llamas argues that Mexico’s central bank, Banxico, and financial system regulator, Comisión Nacional Bancaria y de Valores (CNBV), have unlawfully delayed secondary rules that would standardise data sharing between financial institutions.
Mexico’s once pioneer Fintech Law requires financial institutions to establish APIs that allow them to share open finance data, aggregate data and transactional data with other companies.
The law passed in 2018 required the CNBV to issue secondary rules that standardise data sharing via APIs within 24 months.
But, to date, the regulator has only published secondary provisions for data sharing related to ATM and bank information. This was complemented by guidelines issued by Banxico in 2020 concerning credit information companies.
The industry is hence still waiting for the secondary provisions that will lay down rules for data sharing via APIs so that open finance can finally take off.
Presidents come and go
According to the complaint, much of the delay has been the result of leadership changes at the CNBV.
By the end of 2021, the CNBV had already made significant progress towards the creation of secondary rules for transactional data sharing.
It also had draft guidelines on customer consent and safety measures, along with draft rules for architecture and compensations for data sharing.
In that draft, regulations allowed bigtech firms to seek regulatory approval to get access to transactional data, local newspaper El Economista said.
Despite the progress, the work was put on hold in November 2021 when the former president of the CNBV and its vice president for regulatory affairs stepped down.
Ybarra, who has held positions at various fintech firms, is now concerned that upcoming government changes may delay the issuance of the secondary regulations even further and that these rules may not get issued during the next six-year term.
Regulators do not want to set a precedent
Ybarra invokes his constitutional rights as the basis for his legal action.
“By not having the operating rules for standardised APIs, my ability to choose between a greater offer and variety of financial products and services that adapt to my needs and preferences is limited," the complaint says.
He argues that the lack of rules violates his human right to access financial services under Article 4 of the Constitution and his right to grant or revoke his consent for financial data sharing under Article 6 of the Constitution.
It is highly uncommon for a Mexican citizen to sue a regulator or the central bank.
“From the outside, it’s hard to gauge what credence will be given to the claims behind the lawsuit. From a market perspective, there may be a real capability for this to effect change,” according to Lauren Jones, director of market development at Open Banking Exchange.
“If it follows through it would be hard for the CNBV and Banxico to set a precedent where there are then multiple citizens making claims against the regulator or the central bank for infringing their rights,” she said, noting that “it remains to be seen what they will do and how quickly”.
“I am sure both the central bank and CNBV will be evaluating their roles and will be very well aware of the institutional boundaries that exist between them. They will need to work out how to move the dial together.
“It cannot be underestimated the scale of the challenge when implementing a national open banking programme," according to Jones. "Often it takes more than just the mere regulation to make long-lasting change and positive impact but the appropriate regulation is important to achieve the overall public policy objectives.”
Lack of cybersecurity legislation could be a factor
Although Ybarra blames the regulators for the delay, concerns have been raised that Mexico’s cybersecurity framework, or more specifically the lack of it, may have also contributed to the delay.
Mexico suffered the most cyber-attacks in Latin America in the first half of 2022, according to cybersecurity firm Fortinet.
The country has no cybersecurity legislation and data security protections are mainly based on sectoral guidelines.
As a result, the absence of cybersecurity legislation may have led to nervousness in exposing data to third parties and have put pressure on the regulator to address the issue.
This may, however, change soon as lawmakers introduced a bill in the Chamber of Deputies in April that aims to create a comprehensive regulatory framework for cybersecurity.
